[BreachExchange] Nearly 50, 000 AdventHealth Patients Impacted in Yearlong Data Breach

Wed Feb 20 09:08:42 EST 2019

https://securitytoday.com/articles/2019/02/20/nearly-50000-adventhealth-patients-impacted-in-yearlong-data-breach.aspx

Nearly 50,000 AdventHealth Medical Group Pulmonary and Sleep Medicine
patents are being notified that their personal and health information
was breached for more than a year due to a hack of the Florida
provider's systems.

On December 27, 2018, officials of the provider discovered a hacker
gained access to the AdventHealth systems beginning in August 2017 —
more than 16 months earlier.

The breached data of 42,000 patients contained troves of personal and
health data, including medical histories, insurance carriers, Social
Security numbers and some demographic information like names, phone
numbers and email addresses.

AdventHealth said that any patient who's information was made
vulnerable will receive a year of free identity monitoring services.
The company also said it has since improved its processes to bolder
its auditing and system safeguards.

“While the longstanding focus of attackers has been financial data
from retail, e-commerce, and financial services sectors, the untapped
trove of personal data are a series of softer targets such as
localities, social services, and healthcare," Warren Poschman, senior
solutions architect at comforte AG said. "Not only are these systems
just as rich with data as the traditional targets but security often
lags due to the focus on, in the case of healthcare, patient care over
IT."

Poschman said AdventHealth had a series of perimeter and intrusion
security measures but none of those security measures ultimately
detected a 16-month long breach.

"Similar to Equifax and other long-term breaches, data was accessed
and likely exfiltrated because it was stored in the clear or protected
by passive means such as volume level encryption or database
encryption," Poschman said. "Therein lies the issue – attackers went
undetected because the perimeter was breached and once inside there
was nothing substantial to stop the attackers from accessing the real
target, their patient data. Instead of focusing solely on the
perimeter and network levels, healthcare providers are highly advised
to implement strong data protection strategies that deal with the
eventuality of attackers gaining some level of access to a network –
after all, it’s the data that the attackers are after, not the
firewalls, servers, and other infrastructure."

Poschman suggests that companies dealing with healthcare data adopt a
data-centric security model that allows for the data to be protected
as it is acquired and traverses through the organization. If an
attacker gains access through the perimeter, then the risk that the
actual personal data will be exposed is dramatically reduced, because
of this high amount of security.